Is Parallel Programming Hard, And, If So, What Can You Do About It?

E.4. HOW TO USE PROMELA 247With this example under our belt, let’s takea closer look at the commands used to analyzePromela models and then look at more elaborateexamples.E.4 How to Use PromelaGiven a source file qrcu.spin, one can use the followingcommands:spin -a qrcu.spin Create a file pan.c that fullysearches the state machine.cc -DSAFETY -o pan pan.c Compile the generatedstate-machine search. The -DSAFETY generatesoptimizations that are appropriate ifyou have only assertions (and perhaps neverstatements). If you have liveness, fairness,or forward-progress checks, you may need tocompile without -DSAFETY. If you leave off-DSAFETY when you could have used it, the programwill let you know.The optimizations produced by -DSAFETYgreatly speed things up, so you should use itwhen you can. An example situation where youcannot use -DSAFETY is when checking for livelocks(AKA “non-progress cycles”) via -DNP../pan This actually searches the state space. Thenumber of states can reach into the tens of millionswith very small state machines, so you willneed a machine with large memory. For example,qrcu.spin with 3 readers and 2 updaters required2.7GB of memory.If you aren’t sure whether your machine hasenough memory, run top in one window and./pan in another. Keep the focus on the ./panwindow so that you can quickly kill executionif need be. As soon as CPU time drops muchbelow 100%, kill./pan. If you have removed focusfrom the window running ./pan, you maywait a long time for the windowing system tograb enough memory to do anything for you.Don’t forget to capture the output, especially ifyou are working on a remote machine,If your model includes forward-progress checks,you will likely need to enable “weak fairness”via the -f command-line argument to ./pan.If your forward-progress checks involve acceptlabels, you will also need the -a argument.spin -t -p qrcu.spin Given trail file output bya run that encountered an error, output thesequence of steps leading to that error. The-g flag will also include the values of changedglobalvariables, andthe-lflagwillalsoincludethe values of changed local variables.E.4.1 Promela PeculiaritiesAlthough all computer languages have underlyingsimilarities, Promela will provide some surprises topeople used to coding in C, C++, or Java.1. In C, “;” terminates statements. In Promela itseparates them. Fortunately, more recent versionsof Spin have become much more forgivingof “extra” semicolons.2. Promela’s looping construct, the do statement,takes conditions. This do statement closely resemblesa looping if-then-else statement.3. In C’s switch statement, if there is no matchingcase, the whole statement is skipped. InPromela’s equivalent, confusingly called if, ifthere is no matching guard expression, you getan error without a recognizable correspondingerror message. So, if the error output indicatesan innocent line of code, check to see if you leftout a condition from an if or do statement.4. When creating stress tests in C, one usuallyraces suspect operations against each other repeatedly.In Promela, one instead sets up a singlerace, because Promela will search out all thepossible outcomes from that single race. Sometimesyou do need to loop in Promela, for example,if multiple operations overlap, but doingso greatly increases the size of your state space.5. In C, the easiest thing to do is to maintain aloop counter to track progress and terminatethe loop. In Promela, loop counters must beavoided like the plague because they cause thestate space to explode. On the other hand,there is no penalty for infinite loops in Promelaas long as the none of the variables monotonicallyincrease or decrease – Promela will figureout how many passes through the loop reallymatter, and automatically prune execution beyondthat point.6. In C torture-test code, it is often wise to keepper-task control variables. They are cheap toread, andgreatlyaidindebuggingthetestcode.InPromela, per-taskcontrolvariablesshouldbeused only when there is no other alternative. Tosee this, consider a 5-task verification with one